Tag Archives: cybercrime

Aviva 2nd Data Breach

Advent IM Security Consultant Del Brazil, gives us his thoughts on the Aviva data breach.

iStock_000015672441MediumFor the second time in less than two years Aviva have reported a data breach in which customer data has been released to person(s) unknown.  It is unclear at this time as to whether it a procedural issue, a technical misconfiguration or an actual hacking attack.  Although Aviva has been quick to admit to the breach, they have yet to confirm its full extent and the number of affected customers. 

The previous breach in February 2014 was the result of two employees selling customer data to external agencies. These two employees have since been arrested and released on bail pending charges related to suspicion of fraud by abuse of position.

Is it possible to prevent this kind of incident occurring or re-occurring? In essence no, they is no way that you can completely prevent this type of insider threat; however you can put measures in place in an attempt to deter or detect dishonest/disgruntled staff from carrying out illegal activities.  Potential measures include but are not limited to protective monitoring, staff awareness and staff vetting.  Let’s look at each one of these possible measures:-

istock_000011991144medium.jpgProtective Monitoring – Briefly put, protective monitoring is where a company monitors its staff computer use and network activities.  It’s not a ‘Big Brother’ approach but has certain levels of monitoring to identify any suspicious activities such as large data transfers or inappropriate user activity, such as logging on at unusual times. If you would like to learn about the employer responsibilities around monitoring of staff and compliance with legislation such as the Data Protection Act, we have a presentation on this link, you will need sound.

Business Development Consultant - Cyber Security.

Staff Awareness – This involves educating staff in a number of things, for instance reporting out-of- character mood swings or habits or just inappropriate computer or device related activities. Staff can also be educated on other potential threats to increase their awareness and how to report any suspicious activity.  An example of this maybe when a normally bubbly person suddenly becomes a recluse which may indicate that they have some personal problem that they are struggling with.  It is appreciated that it maybe a personal problem but highlighting it to the management chain may firstly prompt extra or additional support made available to that person but secondly, dependent upon the personal problem, may warrant additional safeguard measures being introduced to highlight/detect inappropriate or suspicious activity.

 Access DeniedStaff Vetting – Vetting or Security Checking staff does provide an element of assurance; however it is never 100% effective; just like a car’s MOT is really only valid on the day it’s issued. Vetting provides a snapshot of a member of staffs suitability to hold a position of responsibility and unless properly maintained loses its credibility.  Vetting can include a number of checks into an individual’s personal life and/or circumstances such as their finances, nationality, last employment and/or personal references.  The degree of vetting carried out is dependent upon the role of the individual within the organisation.  For example IT staff with enhanced privileges could have a more in-depth vetting check carried out to provide a degree of assurance that they are less likely to be susceptible to bribery, coercion etc.; although this is not mandatory it can be a risk management decision made by an organisation.

Possible next steps for Aviva

  1. Fully investigate the breach and establish as to how, why, where, who and what was taken.
  2. Inform all affected customers
  3. Look for trends and patterns related to previous incidents
  4. Identify appropriate additional controls that may assist in re-occurrence
  5. Ensure all breaches are reported to the ICO accordingly
  6. Remind all staff of their responsibility to report irregularities or suspicious activity
  7. Educate staff on the current threats

Is it actually possible to prevent this from happening again?  Insiders will always make great efforts to circumnavigate controls and safeguards and if your insider has privileged access (such as System Admins or senior management) then the problem can increase exponentially. The key is to try and make it so difficult for these kind of insiders to succeed or increase their perception of likelihood they will be revealed. We know we cannot make 100% of networks 100% secure 100% of the time but if we make it difficult enough then we can reduce the risk of it happening even if we can never guarantee it won’t happen again.

Advertisements

CRIME OF OUR GENERATION – A Look at the TalkTalk Breach

A review from Advent IM Security Consultant, Chris Cope.

TalkTalkThe TalkTalk hack has left another major UK business reeling from a cyber attack and customers angry as, once again, there is a possibility that sensitive information is now in the public domain.  The telecommunications company decided to take its own website offline on Wednesday following the presence of unusual traffic, with a ‘Russian Islamist’ hacking group taking responsibility and the Metropolitan Police’s Cyber Crime unit now investigating. Detail on precisely how the attack took place are not yet publicly available, but there are some points that are immediately apparent.

Customer security.  The BBC is reporting that personal information and bank account details may have been stored in an unencrypted format and are now available to hacker groups.  Some TalkTalk customers have complained about hoax communications already; it is likely that this is just the start. Customers will need to rely on Talk Talk to identify precisely which customers are affected, but in the interim they must monitor their bank accounts closely.  Any suspicious activity must be reported to their bank immediately as potential fraud.  When the Talk Talk website becomes accessible again, customers should immediately change their passwords, taking care to avoid passwords which are easily guessable.

Undoubtedly this is the crime of our generation as more and more cyber attacks are reported.  But organisations should not despair, it is perfectly possible to reduce the risk from cyber attack by following the basic security precautions contained with ISO27001.  These can be applied to any organisation, large or small.  From what we know of the attack already, there are some specific controls from that standard which become immediately apparent:

  • Use of encryption. Many networks are designed to be hard on the outside, but soft on the inside.  Once an attacker gain access into the network, they can wreak havoc.  The use of encryption is not the solution to all threats, but encrypting sensitive information is an important consideration.  This will not prevent the initial attack, but the impact of a breach is hugely reduced.  Its also a practical option that the Information Commissioners Office would deem as reasonable, and its absence may be difficult to justify during any follow on investigation.  A good standard of encryption will make personal data unreadable to an attacker and at the very least will buy time for customers to make any changes to their account information they deem necessary.
  • In February of this year, TalkTalk reported that a third-party contractor, based in India, that had legitimate access to its customer accounts had been involved in a data breach.  The use of suppliers is wide spread and many organisations now off-shore certain practices for sound business reasons.  But, devolving the process does not devolve the responsibility and organisations must make sure that their suppliers follow a suitable set of security controls that is consistent with their own.  Included in this suit of controls relating to suppliers is the right to audit supplier activities and a linked up incident management reporting structure.  As further details on this incident emerge, it will be intriguing to discover how much Talk Talk knew of that incident and what steps they took to prevent follow on attacks against their own network.  No matter how secure a network may be, authorised connections from trusted third parties remain a very attractive exploit and they must be managed accordingly.
  • The use of defensive monitoring will not prevent an attack, but it can help to radically reduce the impact.  TalkTalk took the decision to take their services off line following the detection of unusual behaviour within their network. This is a brave call and how much that will cost them in terms of financial or reputational impact is yet to be established.  However, just how much worse could it have been without such monitoring?  What if the first indication of the attack was when personal information was being publicly sold, and exploited?  There is a cost to effective defensive monitoring, but it is a cost often worth paying in order to lessen the eventual impact of a breach.

As the list of cyber attacks in 2015 grows again, and shows no sign of tailing off any time soon, organisations must look to their own defenses.  The threat is varied and very real.  Cyber Crime is here to stay, but why make it easy for criminals to succeed?  There are steps that can be taken to reduce the risks of compromise and the impact following an incident.  Customers are now expecting higher levels of cyber security, if organisations wish to maintain their reputation, they should look to deliver it.

Watch out for those iPhone/iPad phishing emails

For reasons far too dull to expand upon, there were no Apple products in my stocking this year. I have however, had a mountain of email telling me to click through various links in order to re-register my iPad, to download a free app or piece of music, and a variety of other things. Also for my iPhone (that I don’t have) a variety of free apps and other vital pieces of software I must have/register or otherwise obtain. I hope that you have not been subjected to any of this opportunistic phishing. For that is what it is.

ID-10067364Given that Apple products dominated Christmas this year in terms of phones and tablets, it looks like a safe bet for a phisher. Add to that some of the recipients might be kids/inexperienced/slightly merry on Christmas day and therefore more likely to click an unexpected link or file and thereby deliver the toxic payload or whatever the email was designed to do..

At this point I would refer you to my previous post about making sure you are allowed to use your device on your employers networks, before you actually do. Especially if you have not been careful about what you have clicked on when you had your party hat on…

Happy 2015 everyone.

UK at the forefront of the fight against cybercrime

The UK is uniquely placed to spearhead the global response to cybercrime, according to Andy Archibald, Head of the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU). But does the UK have it’s cyber-ducks inline? There are many areas to consider as we push forward to promote a global response to cyberthreat.

The UK is affiliated with all the right people to help move the global response forward such as Five Eyes Alliance, the EU, G8 cybercrime working groups, Europol and Interpol. The UK has also introduced initiatives such as Cyber Streetwise, designed to highlight and educate people in the risks to security and privacy online, both at home and at work. This is much needed as our culture has changed so much, with flexible working seeing more of the workforce mobile and using their own devices (BYOD). Consequently, the line between these two life areas has blurred. Additionally, there has been the introduction of the new cyber information sharing platform, part of the new Cert UK. But what do we really need to grasp in order for standards of cybercrime detection and prevention to be improved?

However, according to a recent BT report1,  UK plc is not as concerned as the rest of the world about some key cyber topics. The UK under-indexed in perceived threat from malicious and non-malicious insider threat, organised crime, nation state and terrorism. Add to that the same research revealed that the UK lags behind Brazil, US, Singapore, France, Hong Kong and Germany in the percentage of businesses that see cyber security as a major priority. Raising levels of concern and C-Suite engagement must surely form a key part of the battle against cybercrime.

Under reporting of cyber dependent and cyber enabled crime is a significant issue. In business the report rate is around 2% and 1% from private individuals3. This is for a variety of reasons including: not realising it is a crime, thinking it has been dealt with  internally, reputational damage (in business) and not knowing where to report such matters.  Add to this the fact that cybercrime is not broken out in police statistics, as these crimes are recorded as the individual law they have broken, such as fraud. So a phisher for instance may have not have physically taken a credit card and fraudulently used it; it may all have been done electronically. However, they are more likely to be tried for Fraud than under the Computer Misuse Act. This makes it very hard to measure and therefore benchmark, making improvement or dis-improvement hard to quantify.

Less than a quarter of UK employees do not know what phishing2 is yet this is one of the most common cybercrimes. In 2009 there were 51,000 “Bank” phishing websites, this increased fivefold to 256,641 in 2012.  Add to this the fact that we cannot accurately attribute all fraudulent activity and financial loss experienced due to phishing as it is often hard to identify. However, given the growth in these specific bank-related phishing sites, we can be fairly certain that this too is spectacularly under-reported. Action Fraud suggest that one third of reported frauds during January to December 2012 were cyber enabled. That is basically 48,000 frauds in one year. Yet these frauds will not have been reported or recorded as cybercrimes.

Taking all of this into consideration then, estimating the cost of cybercrime is very hard. This is recognised by The Cabinet Office in the UK Cyber Security Strategy, “A truly robust estimate will probably never be established but it is clear the costs are high and that they are rising.” The general consensus informally is that we are talking billions of pounds.

It will be challenging to gauge our response If we don’t know how cybercrime is evolving based on an accurate assessment of reporting and UK plc cyber preparedness. Placing the UK at the forefront of the fight means the UK needs to significantly up its cyber-game. Global index 2014

_________________________________________________________________

 

Source: 1BT Cyber Readiness Survey 2014;  2Onepoll survey for Phishme;  3Home Office “Cyber Crime: A review of the Evidence

Cyber for Beginners and UK Cyber Security Posture…

It was great to connect with some of you at Infosec Europe and Counter Terror Expo. These events were more challenging than normal with the tube strike but as you would expect, everyone rallied round and made the best of it. In the end I think a good time was had by all.

Of course, time doesn’t stand still and there are some upcoming events you might want to know about/attend.

MM900254443[1]Mike Gillespie, our MD and Director of Cyber Strategy & Research for the Security Institute will be delivering a Cyber Master Class for the Institute on June 5th. You do not need any kind of technical cyber background, this is a beginners guide and designed for Security professionals who would like to expand their knowledge and understand the impact of cyber. It is open to non members too.

It will be delivered at our training centre in the Midlands (just off M5) and details and booking can be done via the Security Institute website http://bit.ly/1kL1AwQ

Moving on, June 17th sees the start of IFSEC at its new location at ExCel in Docklands. You may interested in a presentation from Mike Gillespie on the UK posture on Cyber Security and what research is showing us, looks like a lag in understanding from UK plc. This is on day 2 (18th) Again the Security Institute will have full details.

Heartbleed – some info and some advice

If we can help then get in touch but here is some information for you. Advent IM Help and Advice for Hearbleed